Merge pull request marshallbrekka#1 from segmentio/master

Merge upstream

Makefile

@@ -1,42 +1,43 @@
-version := $$CIRCLE_TAG
+VERSION := $(shell git describe --tags --always --dirty="-dev")
+LDFLAGS := -ldflags='-X "main.Version=$(VERSION)"'
 
 release: gh-release govendor clean dist
 	github-release release \
 	--security-token $$GH_LOGIN \
 	--user segmentio \
 	--repo aws-okta \
-	--tag $(version) \
-	--name $(version)
+	--tag $(VERSION) \
+	--name $(VERSION)
 
 	github-release upload \
 	--security-token $$GH_LOGIN \
 	--user segmentio \
 	--repo aws-okta \
-	--tag $(version) \
-	--name aws-okta-$(version)-linux-amd64 \
-	--file dist/aws-okta-$(version)-linux-amd64
+	--tag $(VERSION) \
+	--name aws-okta-$(VERSION)-linux-amd64 \
+	--file dist/aws-okta-$(VERSION)-linux-amd64
 
 release-mac: gh-release govendor clean dist-mac
 	github-release upload \
 	--security-token $$GH_LOGIN \
 	--user segmentio \
 	--repo aws-okta \
-	--tag $(version) \
-	--name aws-okta-$(version)-darwin-amd64 \
-	--file dist/aws-okta-$(version)-darwin-amd64
+	--tag $(VERSION) \
+	--name aws-okta-$(VERSION)-darwin-amd64 \
+	--file dist/aws-okta-$(VERSION)-darwin-amd64
 
 clean:
 	rm -rf ./dist
 
 dist:
 	mkdir dist
 	govendor sync
-	GOOS=linux GOARCH=amd64 go build -o dist/aws-okta-$(version)-linux-amd64
+	GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o dist/aws-okta-$(VERSION)-linux-amd64
 
 dist-mac:
 	mkdir dist
 	govendor sync
-	GOOS=darwin GOARCH=amd64 go build -o dist/aws-okta-$(version)-darwin-amd64
+	GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o dist/aws-okta-$(VERSION)-darwin-amd64
 
 gh-release:
 	go get -u github.com/aktau/github-release

README.md

@@ -65,6 +65,32 @@ region = <region>
 
 Your setup may require additional roles to be configured if your admin has set up a more complicated role scheme like cross account roles.  For more details on the authentication process, see the internals section.
 
+#### A more complex example
+
+The `aws_saml_url` can be set in the "okta" ini section, or on a per profile basis. This is useful if, for example, your organization has several Okta Apps (i.e. one for dev/qa and one for prod, or one for internal use and one for integrations with third party providers). For example:
+
+```ini
+[okta]
+# This is the "default" Okta App
+aws_saml_url = home/amazon_aws/cuZGoka9dAIFcyG0UllG/214
+
+[profile dev]
+# This profile uses the default Okta app
+role_arn = arn:aws:iam::<account-id>:role/<okta-role-name>
+
+[profile integrations-auth]
+# This is a distinct Okta App
+aws_saml_url = home/amazon_aws/woezQTbGWUaLSrYDvINU/214
+arn:aws:iam::<account-id>:role/<okta-role-name>
+
+[profile vendor]
+# This profile uses the "integrations-auth" Okta app combined with secondary role assumption
+source = integrations-auth
+role_arn = arn:aws:iam::<account-id>:role/<secondary-role-name>
+```
+
+The configuration above means that you can use multiple Okta Apps at the same time and switch between them easily.
+
 ## Backends
 
 We use 99design's keyring package that they use in `aws-vault`.  Because of this, you can choose between different pluggable secret storage backends just like in `aws-vault`.  You can either set your backend from the command line as a flag, or set the `AWS_OKTA_BACKEND` environment variable.
@@ -78,6 +104,10 @@ $ export CIRCLE_TAG=`git describe --tags`
 $ make release-mac
 ```
 
+## Analytics
+
+`aws-okta` includes some usage analytics code which Segment uses internally for tracking usage of internal tools.  This analytics code is turned off by default, and can only be enabled via a linker flag at build time, which we do not set for public github releases.
+
 ## Internals
 
 ### Authentication process

cmd/add.go

@@ -7,6 +7,7 @@ import (
 	log "github.com/Sirupsen/logrus"
 
 	"github.com/99designs/keyring"
+	analytics "github.com/segmentio/analytics-go"
 	"github.com/segmentio/aws-okta/lib"
 	"github.com/spf13/cobra"
 )
@@ -27,18 +28,23 @@ func add(cmd *cobra.Command, args []string) error {
 	if backend != "" {
 		allowedBackends = append(allowedBackends, keyring.BackendType(backend))
 	}
-	kr, err := keyring.Open(keyring.Config{
-		AllowedBackends:          allowedBackends,
-		KeychainTrustApplication: true,
-		// this keychain name is for backwards compatibility
-		ServiceName:             "aws-okta-login",
-		LibSecretCollectionName: "awsvault",
-	})
+	kr, err := lib.OpenKeyring(allowedBackends)
 
 	if err != nil {
 		log.Fatal(err)
 	}
 
+	if analyticsEnabled && analyticsClient != nil {
+		analyticsClient.Enqueue(analytics.Track{
+			UserId: username,
+			Event:  "Ran Command",
+			Properties: analytics.NewProperties().
+				Set("backend", backend).
+				Set("aws-okta-version", version).
+				Set("command", "add"),
+		})
+	}
+
 	// Ask username password from prompt
 	organization, err := lib.Prompt("Okta organization", false)
 	if err != nil {

cmd/exec.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/99designs/keyring"
+	analytics "github.com/segmentio/analytics-go"
 	"github.com/segmentio/aws-okta/lib"
 	"github.com/spf13/cobra"
 )
@@ -110,17 +111,23 @@ func execRun(cmd *cobra.Command, args []string) error {
 		allowedBackends = append(allowedBackends, keyring.BackendType(backend))
 	}
 
-	kr, err := keyring.Open(keyring.Config{
-		AllowedBackends:          allowedBackends,
-		KeychainTrustApplication: true,
-		// this keychain name is for backwards compatibility
-		ServiceName:             "aws-okta-login",
-		LibSecretCollectionName: "awsvault",
-	})
+	kr, err := lib.OpenKeyring(allowedBackends)
 	if err != nil {
 		return err
 	}
 
+	if analyticsEnabled && analyticsClient != nil {
+		analyticsClient.Enqueue(analytics.Track{
+			UserId: username,
+			Event:  "Ran Command",
+			Properties: analytics.NewProperties().
+				Set("backend", backend).
+				Set("aws-okta-version", version).
+				Set("profile", profile).
+				Set("command", "exec"),
+		})
+	}
+
 	p, err := lib.NewProvider(kr, profile, opts)
 	if err != nil {
 		return err
@@ -145,7 +152,6 @@ func execRun(cmd *cobra.Command, args []string) error {
 
 	env.Set("AWS_ACCESS_KEY_ID", creds.AccessKeyID)
 	env.Set("AWS_SECRET_ACCESS_KEY", creds.SecretAccessKey)
-	env.Set("AWS_PROFILE", profile)
 
 	if creds.SessionToken != "" {
 		env.Set("AWS_SESSION_TOKEN", creds.SessionToken)

cmd/login.go

@@ -8,6 +8,7 @@ import (
 	"net/url"
 
 	"github.com/99designs/keyring"
+	analytics "github.com/segmentio/analytics-go"
 	"github.com/segmentio/aws-okta/lib"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
@@ -20,8 +21,12 @@ var loginCmd = &cobra.Command{
 	RunE:  loginRun,
 }
 
+// Stdout is the bool for -stdout
+var Stdout bool
+
 func init() {
 	RootCmd.AddCommand(loginCmd)
+	loginCmd.Flags().BoolVarP(&Stdout, "stdout", "", false, "Print login URL to stdout instead of opening in default browser")
 }
 
 func loginRun(cmd *cobra.Command, args []string) error {
@@ -58,13 +63,22 @@ func loginRun(cmd *cobra.Command, args []string) error {
 	if backend != "" {
 		allowedBackends = append(allowedBackends, keyring.BackendType(backend))
 	}
-	kr, err := keyring.Open(keyring.Config{
-		AllowedBackends:          allowedBackends,
-		KeychainTrustApplication: true,
-		// this keychain name is for backwards compatibility
-		ServiceName:             "aws-okta-login",
-		LibSecretCollectionName: "awsvault",
-	})
+	kr, err := lib.OpenKeyring(allowedBackends)
+	if err != nil {
+		return err
+	}
+
+	if analyticsEnabled && analyticsClient != nil {
+		analyticsClient.Enqueue(analytics.Track{
+			UserId: username,
+			Event:  "Ran Command",
+			Properties: analytics.NewProperties().
+				Set("backend", backend).
+				Set("aws-okta-version", version).
+				Set("profile", profile).
+				Set("command", "login"),
+		})
+	}
 
 	p, err := lib.NewProvider(kr, profile, opts)
 	if err != nil {
@@ -135,8 +149,11 @@ func loginRun(cmd *cobra.Command, args []string) error {
 		url.QueryEscape(signinToken),
 	)
 
-	if err = open.Run(loginURL); err != nil {
+	if Stdout {
+		fmt.Println(loginURL)
+	} else if err = open.Run(loginURL); err != nil {
 		return err
 	}
+
 	return nil
 }

cmd/root.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/99designs/keyring"
 	log "github.com/Sirupsen/logrus"
+	analytics "github.com/segmentio/analytics-go"
 	"github.com/spf13/cobra"
 )
 
@@ -20,22 +21,31 @@ var (
 
 // global flags
 var (
-	backend string
-	debug   bool
+	backend           string
+	debug             bool
+	version           string
+	analyticsWriteKey string
+	analyticsEnabled  bool
+	analyticsClient   analytics.Client
+	username          string
 )
 
 // RootCmd represents the base command when called without any subcommands
 var RootCmd = &cobra.Command{
-	Use:              "aws-okta",
-	Short:            "aws-okta allows you to authenticate with AWS using your okta credentials",
-	SilenceUsage:     true,
-	SilenceErrors:    true,
-	PersistentPreRun: prerun,
+	Use:               "aws-okta",
+	Short:             "aws-okta allows you to authenticate with AWS using your okta credentials",
+	SilenceUsage:      true,
+	SilenceErrors:     true,
+	PersistentPreRun:  prerun,
+	PersistentPostRun: postrun,
 }
 
 // Execute adds all child commands to the root command sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
-func Execute() {
+func Execute(vers string, writeKey string) {
+	version = vers
+	analyticsWriteKey = writeKey
+	analyticsEnabled = analyticsWriteKey != ""
 	if err := RootCmd.Execute(); err != nil {
 		fmt.Fprintf(os.Stderr, "%s\n", err)
 		switch err {
@@ -58,6 +68,26 @@ func prerun(cmd *cobra.Command, args []string) {
 	if debug {
 		log.SetLevel(log.DebugLevel)
 	}
+
+	if analyticsEnabled {
+		// set up analytics client
+		analyticsClient, _ = analytics.NewWithConfig(analyticsWriteKey, analytics.Config{
+			BatchSize: 1,
+		})
+
+		username = os.Getenv("USER")
+		analyticsClient.Enqueue(analytics.Identify{
+			UserId: username,
+			Traits: analytics.NewTraits().
+				Set("aws-okta-version", version),
+		})
+	}
+}
+
+func postrun(cmd *cobra.Command, args []string) {
+	if analyticsEnabled && analyticsClient != nil {
+		analyticsClient.Close()
+	}
 }
 
 func init() {

cmd/version.go

@@ -0,0 +1,24 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+// versionCmd represents the version command
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "print version",
+	RunE:  versionRun,
+}
+
+func init() {
+	RootCmd.AddCommand(versionCmd)
+}
+
+func versionRun(cmd *cobra.Command, args []string) error {
+	fmt.Fprintf(os.Stdout, "aws-okta %s\n", version)
+	return nil
+}

lib/keyring.go

@@ -0,0 +1,23 @@
+package lib
+
+import (
+	"github.com/99designs/keyring"
+)
+
+func keyringPrompt(prompt string) (string, error) {
+	return Prompt(prompt, true)
+}
+
+func OpenKeyring(allowedBackends []keyring.BackendType) (kr keyring.Keyring, err error) {
+	kr, err = keyring.Open(keyring.Config{
+		AllowedBackends:          allowedBackends,
+		KeychainTrustApplication: true,
+		// this keychain name is for backwards compatibility
+		ServiceName:             "aws-okta-login",
+		LibSecretCollectionName: "awsvault",
+		FileDir:                 "~/.aws-okta/",
+		FilePasswordFunc:        keyringPrompt,
+	})
+
+	return
+}